← Back to Baseline

MB-R098

Unsafe XML parsing disabled

C03 Secure Coding Practices High

XML parsers used by imports, integrations, or custom modules must disable external entity expansion and unsafe parser options. Insecure XML parsing can enable XXE, local file disclosure, SSRF, or denial of service. Flag usage patterns such as entity substitution, external DTD loading, or parser flags that expand untrusted XML content.

Why it Matters

Magento integrations often parse XML from feeds, ERPs, shipping providers, payment systems, or imports. Unsafe XML parser settings can allow XXE, SSRF, local file disclosure, or denial of service.

Disabling external entity expansion and unsafe parser features keeps untrusted XML from reaching local files or internal network resources.

Verification Steps

Code scan

grep -RIE "(simplexml_load|DOMDocument|loadXML|LIBXML_NOENT|LIBXML_DTDLOAD)" app/code 2>/dev/null

Parser review

# Confirm external entities and DTD loading are disabled for untrusted XML

Remediation / Fix Guidance

  1. Avoid parsing untrusted XML when JSON or provider SDKs are available.
  2. Disable external entity loading, DTD loading, and entity substitution.
  3. Reject XML with DOCTYPE when not required.
  4. Set size and timeout limits for import feeds.
  5. Add tests with XXE payloads for custom XML parsers.

Examples

Fail Example
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD);
# External entities may expand → FAIL
Pass Example
$dom->loadXML($xml, LIBXML_NONET);
# Network access blocked and no entity substitution → PASS

References